The present disclosure is related to cybersecurity in industrial control systems, and in particular to monitoring of cybersecurity threats to industrial control systems.
Operational technology environments are the backbone of a nation's industrial critical infrastructure and contain a myriad of industrial control systems that operate in real-time. Industrial control systems refer to the general class of devices including supervisory control and data acquisition (SCADA) systems, distributed control systems, programmable logic control devices, and single board computers and some combination of these types of equipment. Industrial control systems provide the automation in critical infrastructure assets including the electric power generation, transmission, and distribution; nuclear power plant generation; oil and gas and mining exploration, drilling, production, and transportation; large-scale shipping and transportation whether done by land, sea, or air; large-scale water pumping; and waste water and sewage treatment. Industrial control systems perform functions such as collecting and transmitting data from sensors; opening or closing valves, breakers, or pumps; starting operations of devices or terminating operations of devices; or monitoring the operational technology environment for abnormal conditions to alert the operator and possibly sound alarms.
Digital agents, interchangeably also called logical agents or software agents, are used extensively in all types of computer networked systems, in both information technology and operational technology environments. Typically, these digital agents are categorized as “intelligent” meaning that the digital agent itself performs some level of analysis and makes logic decisions based on algorithms or heuristics. As a result of the analysis and decision making, the digital agents then perform actions to control the net-worked devices. One example is managing equipment, such as disclosed in U.S. Pat. No. 5,655,081 . Because these digital agents perform higher level functions, the digital agents often use an artificial intelligence paradigm in performing that functionality. The data collected by the digital agent may reside within software database digital agents and is not passed in its form as collected outside of the digital agent. Rather, the data is processed by the digital agent itself.
These “intelligent digital agents” inventions function in a number of ways including by inputting and analyzing information by the software in the digital agent using logic trees or a set of rules; by calculating scores or metrics to guide the decisions; or by calculating on and comparing the inputted data to predefined values. Regardless of the functionality of intelligent digital agents, these digital agents have one computational aspect in common: Intelligent digital agents analyze the data within that software on the digital agent requiring the digital agent to have decision power and control within the digital agent to perform some action which alters the computer network system which is why these digital agents are categorized as “intelligent.”
Industrial control systems are a special type of networked systems and used in operational technology environments. Digital agents used in industrial control systems perform some level of automation in systems and are used in systems such as manufacturing facilities, power system substations, or chemical processing plants. The digital agents according to the prior art used in these industrial control systems monitor, manage, and control the industrial control systems, such as disclosed in US 20060117295 A1. Often the industrial control system contains digital agents with different, specific functions such as retrieving data, maintaining a localized database, controlling other digital agents, controlling equipment, etc. The overall industrial control system typically comprises networks of these different types of digital agents to create the knowledge used within the system to make decisions.
Within the domain of cybersecurity, intelligent digital agents may be used to detect security alerts, such as disclosed in U.S. Pat. No. 6,182,249 B1,search for network vulnerabilities, such as disclosed in WO 2000070463 A1, by building a complex vulnerability analysis network; or against an established database of existing, static metrics. These digital agents exhibit some level of intelligence and have specialized functions.
Industrial control systems are increasingly the target of cyber-attacks by criminals, terrorists, and hacktivists for their own respective motives to disrupt or threaten to disrupt operations. Nom The current cyber threats to the industrial control systems are the advanced persistent threat (APT) attacks or the “low-and-slow” attacks that escape more conventional methods for detecting cybersecurity attacks such as perimeter security, intrusion detection systems, or virus and malware/spyware removers. However, industrial control systems are also exposed and the target for other cyber-attacks than APTs, both sophisticated and non-sophisticated.
The real-time nature of industrial control systems requires precise synchronization of processes such as reading and transmitting data from sensors, managing the automation process, or performing mechanical or electrical functions based on the current status and state of the industrial control systems. There are two timing issues for any technology inserted into industrial control systems. The timing within industrial control system must be precise within milliseconds and sometimes microseconds. As a consequence, first, monitoring functionality cannot introduce latency or delays into the industrial control system because of the overhead required by the digital agents. This leads to the requirement that the digital agent is non-intrusive and operates in a non-intrusive manner. Cybersecurity technology used to monitor, detect, respond, or remediate a cyber-attack may slow the system down, an unperceivable delay to the human user, but unacceptable in an industrial control system. Latency, no matter how minute in an information technology environment, cannot be tolerated within an operational environment. Secondly, monitoring the system to detect a cyber-attack must not directly interfere with the timing of the control system and possibly risk causing additional damage. That is, the monitoring functionality cannot arbitrarily interfere with the functionality of the industrial control systems such as turning on or off values, reading from sensors, etc. to the detriment of the industrial control system. Any action by the monitoring system must be carefully planned with a realization of possible consequences when executed in the industrial control systems.
The most effective and sophisticated monitoring and detection functionality is executed by or assisted by software modules that monitor the system continuously to detect anomalous behavior, analyze the data efficiently and effectively, and correlate activities related to anomalous behavior over a time span to detect that a cyber-attack incident is underway or imminent.
Due to the intelligent nature of the digital agents according to the prior art, there is a significant risk that the agent may interfere with processes ongoing in the industrial control system in an unacceptable way or induce unacceptable delays and latencies in the ongoing processes.